Reporting vulnerabilities in the OSS ecosystem - the CVE-2024-6655 Case (OffensiveX 2025)
Posted on 17 February 2026 by Dimitrios Glynos
In June 2025 I gave a research talk at the Offensive X conference in Athens, Greece.
The talk explored the topic of how to best report a sensitive vulnerability to an open source project, and the things that can go wrong.
The talk used as an example CVE-2024-6655, which I had discovered in the GTK+ project. This vulnerability would enable attackers to perform remote code execution on victim Linux desktops, through drive-by-download attacks.
The talk started with a short introduction on the peculiarities of open source projects. Then we explored the well-known problem of DLL hijacking in Microsoft Windows software, and explained how this has been used in practice by APT groups to takeover workstations.
I then proceeded to explain how CVE-2024-6655 was creating essentially the same problem in Linux desktops and provided the technical details of the vulnerability. Research found that there were two environments that allowed for easy triggering of the vulnerability (Debian/Debian-derived distributions and GNOME+X11 environments).
To demonstrate the vulnerability I used two example exploits. One targeting Ubuntu where the user launches a GTK+ based application from “Downloads” using the command line, and a second example where the user launches a GTK+ based application as an AppImage bundle from the “Downloads” directory.
The presentation then focused on how to pitch a sensitive vulnerability to an open source project. I explained my reasoning and preparation behind the reporting of CVE-2024-6655. Then showcased some of the things that went wrong in the communication and handling of the issue (e.g. bug disclosure, CVE allocation delays, rejected embargo / hotfix, work-in-progress PoCs, limited reach etc.). Finally, I closed the presentation with some tips for researchers on how to best communicate such issues to open source projects and how to support the project efforts in creating the needed fixes.
You can find the slides of this presentation below.
Sample videos of CVE-2024-6655 exploits in action can be found in the CVE-2024-6655 advisory.
Videos of the presentation have not been released yet.
We would like to thank the organizers and participants for this great event, and we hope to meet again in Offensive X 2026!